Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange Security

Posted on 2006-06-13
14
Medium Priority
?
488 Views
Last Modified: 2010-03-19
Hi,

I'm planning an Exchange server installation within the next few weeks. We don't have an DMZ or FE/BE for Exchange and I'm concerned about allowing SSL and SMTP traffic straight into our LAN. We have a PIX as our perimeter firewall here lies my question: Is a PIX (SMTP, SSL open) alone secure enough or should I put ISA somewhere in the mix? I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?

Ciderspine.
0
Comment
Question by:Ciderspine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
14 Comments
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16893246
PIXs are usually good enough. But do not forget that to secure it it is not enough to have but to properly configure it. The same idea applies to the ISA box. For instance, you can have 3 Pixes, 1 ISA, ... but as long as they are not configured correctly ... see the idea??

Good knowledge on tcp/ip would allow you to set this up properly, even with a single PIX only.

Cheers
0
 
LVL 1

Expert Comment

by:Hyppy
ID: 16893260
Your PIX should be secure enough, as long as you specify only your exchange server in the ACL for SMTP/SSL access.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 16893405
SSL through to OWA on your Exchange Server is OK.  Plenty of companies operate without a FE/BE configuration.

However, I would strongly advise setting up a mail relay in a DMZ as this provides a physical barrier between your mail server and the outside world.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 26

Expert Comment

by:Leon Fester
ID: 16893435
'I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?'

I think what you possibly read could have been something along the lines of ISA 2004 being able to do stateful packet inspection on encrypted data.

Check out this link for some more info on ISA and Exchange.
http://www.microsoft.com/isaserver/evaluation/overview/default.mspx
0
 

Author Comment

by:Ciderspine
ID: 16894076
Thanks for you comments - I suspected the PIX was secure enough.

I have a relay planned for SMTP. I take it if I wanted to relay SSL traffic to OWA I would have to run a FE xchange?

Ben
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16894328
And the points are for me and ... ? :)

Cheers
0
 

Author Comment

by:Ciderspine
ID: 16900461
Whoever answers this question gets the points.


I take it if I wanted to relay SSL traffic to OWA I would have to run a FE xchange?

0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 750 total points
ID: 16900475
Not neccessarily OWA works independantly of whether your server is a FE or BE Server.

Ideally you'd wanna setup as a backend server...
0
 

Author Comment

by:Ciderspine
ID: 16902099
Thanks chaps!
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16903802
Your question: "here lies my question: Is a PIX (SMTP, SSL open) alone secure enough or should I put ISA somewhere in the mix? I've read some articles suggestoing SSL through PIX is a vulnerability as PIX cannot read encrypted traffic. Anyone have any comments on this?"

My answer:
"PIXs are usually good enough. But do not forget that to secure it it is not enough to have but to properly configure it. The same idea applies to the ISA box. For instance, you can have 3 Pixes, 1 ISA, ... but as long as they are not configured correctly ... see the idea??

Good knowledge on tcp/ip would allow you to set this up properly, even with a single PIX only. "

This same answer was in "tune" with other users's answers as well ... I think there should've been a split. Also, I just cannot see where is dvt_localboy's answer better than mine. Could you please show me that??

Anyway ... I guess the moderator will decide ... they shold be saying something soon ....

Cheers
0
 

Author Comment

by:Ciderspine
ID: 16905110
His answer was not 'better than yours' it was simply a more appropriate answer in my opinion.

Ciderspine. (because it's always summer in my world)
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 16906022
Just to clarify though ... I never meant that dvt_localboy didnt' deserve any points. He/she just didn't deserve all of them. As I stated already, there should have been a split. More clear than that I can't be!

Cheers
0
 

Author Comment

by:Ciderspine
ID: 16906853
You don't like beans - Jelly beans?

I agree - I should have split the points. My mistake. Is there a way I can give you some points - I'm happy to do so? EE is such a fantastic resource and I think all of you experts who selflessly give your hard-earned knowledge and time to help others in the IT community deserve medals and I thank you all.

Really - you don't like jelly beans? I thought eveyone liked Jelly Beans?

Cheers matey! No hard feelings. Let's keep EE a place of knowlege and love.

Ciderspine
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question